Documentation
¶
Overview ¶
Package jar implements JAR scanning capabilities for log4j.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewReader ¶ added in v0.2.0
NewReader is a wrapper around zip.NewReader that supports self-executable JARs. JAR files with prefixed data, such as a bash script to allow them to run directly.
If the ZIP contains a prefix, the returned offset indicates the size of the prefix.
See: - https://kevinboone.me/execjava.html - https://github.com/golang/go/issues/10464
func Rewrite ¶
Rewrite attempts to remove any JndiLookup.class files from a JAR.
Rewrite does not account for self-executable JARs and does not preserve the file prefix. This must be explicitly handled, or use RewriteJAR() to do so automatically.
zr, offset, err := jar.NewReader(ra, size)
if err != nil {
// ...
}
dest, err := os.CreateTemp("", "")
if err != nil {
// ...
}
defer dest.Close()
if offset > 0 {
// Rewrite prefix.
src := io.NewSectionReader(ra, 0, offset)
if _, err := io.CopyN(dest, src, offset); err != nil {
// ...
}
}
if err := jar.Rewrite(dest, zr); err != nil {
// ...
}
Types ¶
type Parser ¶ added in v0.3.0
type Parser struct {
// MaxDepth is the maximum depth of recursive archives below
// the top level that will be unpacked. Default is 16.
MaxDepth int
// MaxBytes is the maximum size of files that will be
// read into memory during scanning. Default is 4GiB.
MaxBytes int64
// Name is the name of the file being parsed. Default is "".
Name string
// FileError can be used to handle errors for a JAR file.
// When checking a file returns an error other than
// fs.SkipDir, FileError will be called with the offending
// path and error. If FileError returns nil, checking will
// continue. Otherwise, checking will abort. Default is to
// abort checking whenever err != nil.
FileError func(path string, err error) error
}
Parser allows tuning paramters of a vulnerable log4j scan. The zero value provides reasonable defaults.
type ReadCloser ¶ added in v0.2.0
ReadCloser mirrors zip.ReadCloser.
func OpenReader ¶ added in v0.2.0
func OpenReader(path string) (r *ReadCloser, offset int64, err error)
OpenReader mirrors zip.OpenReader, loading a JAR from a file, but supports self-executable JARs. See NewReader() for details.
func (*ReadCloser) Close ¶ added in v0.2.0
func (r *ReadCloser) Close() error
Close closes the underlying file.
type Report ¶
type Report struct {
// Vulnerable reports if a vulnerable version of the log4j is included in the
// JAR and has been initialized.
//
// Note that this package considers the 2.15.0 versions vulnerable.
Vulnerable bool
// Vulns gives details on the individual vulnerabilities detected.
Vulns []*Vuln
// MainClass and Version are information taken from the MANIFEST.MF file.
// Version indicates the version of JAR, NOT the log4j package.
MainClass string
Version string
}
Report contains information about a scanned JAR.
type Vuln ¶ added in v0.5.0
type Vuln struct {
// CVE is the CVE ID of the vulnerability.
CVE string
}
Vuln reports details of a vulnerability detected.
type Walker ¶
type Walker struct {
// Rewrite indicates if the Walker should rewrite JARs in place as it
// iterates through the filesystem.
Rewrite bool
// SkipDir, if provided, allows the walker to skip certain directories
// as it scans.
SkipDir func(path string, de fs.DirEntry) bool
// HandleError can be used to handle errors for a given directory or
// JAR file.
HandleError func(path string, err error)
// HandleReport is called when a JAR is determined vulnerable. If Rewrite
// is provided, this is called before the Rewrite occurs.
HandleReport func(path string, r *Report)
// HandleRewrite is called when a JAR is rewritten successfully.
HandleRewrite func(path string, r *Report)
// Parser will be used when checking JARs, if provided. If
// unset, a Parser with sensible defaults will be created.
Parser *Parser
}
Walker implements a filesystem walker to scan for log4j vulnerable JARs and optional rewrite them.
Source Files